A Consistency Model for Identity Information in Distributed Systems

In distributed IT systems, replication of information is commonly used to strengthen the fault tolerance on a technical level or the autonomy of an organization on a business level. In particular, information related to the identity of a user, which is used to authorize service access, is often replicated for these reasons. To ensure correct authorization decisions, replicas have to be kept consistent. However, an appropriate definition of “consistency” is required that takes into account the need for the following aspects: (i) semantic and causal relations between identity information, and (ii) temporal aspects with respect to an acceptable duration of the dissemination of occurring attribute changes. Both identity-information specifics and temporal aspects are not addressed sufficiently by existing consistency models. In this paper we introduce a consistency model for identity information in distributed systems named ID-consistency. ID-consistency is based on a formalization of identity information and considers semantic and causal relations as well as a so-called inconsistency window that denotes the time period between a change to information and the moment when the change is fully disseminated. Therefore, the model reveals the fundamental structure of an IdM system and helps in the design and analysis of corresponding dissemination middleware in distributed systems. We exemplarily show how to make use of the concept of ID-consistency to analyze and improve a real-world IdM system using CardSpace for demonstration purposes.